Changing webroot directories ownership

Discussion in 'Installation/Configuration' started by Keoz, Dec 26, 2022.

  1. Keoz

    Keoz Member

    OPERATING FRAMEWORK
    Hosting provider : OVH
    Machine : remote VPS
    OS distro : Ubuntu 22.04 LTS
    SSH user : superuser with sudo rights
    Panel : ISPConfig 3 (last)
    CLI terminal : MacBook Air

    Hello,

    For security reasons I wish to avoid activating and using root user for SFTP connection from local client to remote server webroot directories. Therefore, I wish a new user that have sudo rights, to become owner of existing and future webroot directories on my Ubuntu OS (on remote VPS), so to allow him access to these via SFTP client.

    To achieve this, do I have to both change Apache user, and change file ownership as explained in this web page ?
    https://fedingo.com/how-to-change-apache-user/

    Regards
     
    Last edited: Dec 26, 2022
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    If you want to get access to a site by SSH, just create a shell user for it in ISPConfig. And if you want to get access to a site by FTP, create an FTP user. And of course, you can create sudo users on any Linux distribution, but this is neither related to ISPConfig nor to the user that owns websites on your server as a sudo user is just a normal Linux user that you configured to be able to become root user.

    This makes no sense for a hosting system and does not add any security. Websites scripts do not run under the apache user anyway, and the files of a website are not owned by the apache user. ISPConfig uses a separate user for each site for security reasons.
     
  3. Keoz

    Keoz Member

    Hi Till
    A week ago I already created a FTP user, and today I created a user shell user. Since then I found that FTP connection from FileZilla client to my remote VPS works fine with shell user credentials, but fails with FTP user credentials :

    FILEZILLA FTP CLIENT
    Connection attempts details with an exemple user, password and port (created in ISPConfig)

    CASE 1 - shell user (connection OK)
    Host : sftp://serverIPV4-ADDRESS
    Shell user : user1attempt
    Password : attwikipr@NX
    Port : 54228

    CASE 2 - (connection Fails)
    Host : sftp://serverIPV4-ADDRESS
    FTP user : user2attempt
    Password : attwikipr@UP
    Port : 54228

    I did went further on in ISPConfig, by chrooting shell user (case 1) using “Jailkit“ that I selected instead of default “none“ setting in the shell user section. I thought that it would have limited the shell user, so that he may only have FTP access to website root directory : /var/www/clients/client1/web2

    /// QUESTION ///
    But I when FTP connection get established, shell user have default access to server content at level of where the /var directory is located, but he is prevented to access upper directories. How then to constrain FTP connection so that shell user is by default directed to the website root directory (web2), and is prevented to access upper directories ?

    Regards
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Which means you use the wrong settings in FileZilla. I explained that many many times here in the forum, but here again:

    FTP = FTP
    FTPS = FTP
    SFTP = Not FTP but SSH (Shell User)

    So what you did wrong is that you mixed up FTPS and SFTP, SFTP is SSH File Transfer Protocol, so it's not FTP. When you want to run your own Linux server, then it's important that you have some basic understanding of internet protocols and what they are used for and which daemon provides them. You should really consider taking some classes for Linux administration. This is all not related to ISPConfig btw.

    So as you can see, the solution to your problem is reallyeasy, just learn how to use an FTP client like FileZilla correctly to enter FTP login credentials in the app instead of switching it to non-FTP mode and then wondering why FTP credentials of course do not work.

    That's all not related to the issue as you simply have to use FTP/FTPS, which you have not done. And you might read a bit about what jails are as this explains why you falsely think that a jailed SSH user can access /var (which he can't of course, he just sees something that for you looks like systems /var folder, but it is not /var). But anyway, it#s not related to FTP access at all anyway and just about shell access.
     
    Last edited: Dec 29, 2022
    ahrasis likes this.
  5. Keoz

    Keoz Member

Share This Page